From nobody@FreeBSD.org  Mon May 14 15:36:28 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 8E5F016A410
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 14 May 2007 15:36:28 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id 66D9913C457
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 14 May 2007 15:36:28 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l4EFaSUk076993
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 14 May 2007 15:36:28 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id l4EFVQbY075991;
	Mon, 14 May 2007 15:31:26 GMT
	(envelope-from nobody)
Message-Id: <200705141531.l4EFVQbY075991@www.freebsd.org>
Date: Mon, 14 May 2007 15:31:26 GMT
From: Roger Marquis<marquis@roble.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: dirmngr has no option to build without openldap
X-Send-Pr-Version: www-3.0

>Number:         112659
>Category:       ports
>Synopsis:       security/dirmngr has no option to build without openldap
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    lofi
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 14 15:40:11 GMT 2007
>Closed-Date:    Tue May 15 11:24:19 GMT 2007
>Last-Modified:  Fri May 18 07:20:04 GMT 2007
>Originator:     Roger Marquis
>Release:        5.4-RELEASE-p6
>Organization:
Roble Systems
>Environment:
FreeBSD 5.4-RELEASE-p6 FreeBSD 5.4-RELEASE-p6
>Description:
Cannot build dirmngr due to unnecessary dependencies on openldap.

Many servers do not need openldap and making it a dirmngr dependency is very un-BSD i.e, RPM/DLL-hell.


>How-To-Repeat:
Try building port without openldap.

Unsetting "USE_OPENLDAP= yes" in the Makefile does not work.
>Fix:

>Release-Note:
>Audit-Trail:
Class-Changed-From-To: maintainer-update->change-request 
Class-Changed-By: edwin 
Class-Changed-When: Mon May 14 21:41:15 UTC 2007 
Class-Changed-Why:  
Fix category (submitter is not maintainer) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112659 
Responsible-Changed-From-To: freebsd-ports-bugs->lofi 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Mon May 14 21:41:22 UTC 2007 
Responsible-Changed-Why:  
Over to maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112659 
State-Changed-From-To: open->closed 
State-Changed-By: lofi 
State-Changed-When: Tue May 15 11:23:57 UTC 2007 
State-Changed-Why:  
Not a bug/won't fix. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=112659 

From: Michael Nottebrock <lofi@freebsd.org>
To: bug-followup@freebsd.org, marquis@roble.com
Cc:  
Subject: Re: ports/112659: security/dirmngr has no option to build without openldap
Date: Tue, 15 May 2007 13:23:25 +0200

 As you already noticed yourself, dirmngr *cannot* be built without OpenLDAP, 
 hence there is no option.
 
 Furthermore, the FreeBSD OpenLDAP ports are split into a client port and a 
 server port and the USE_OPENLDAP macro triggers a dependency on the client 
 ports only, so there is no need to worry about unneccesary daemons on your 
 servers.

From: Roger Marquis <marquis@roble.com>
To: Michael Nottebrock <lofi@freebsd.org>
Cc: bug-followup@freebsd.org
Subject: Re: ports/112659: security/dirmngr has no option to build without
 openldap
Date: Tue, 15 May 2007 08:14:37 -0700 (PDT)

 > As you already noticed yourself, dirmngr *cannot* be built
 > without OpenLDAP, hence there is no option.
 
 Thanks Michael. I should have looked into the configure options
 instead of just the Makefile. That "USE_OPENLDAP=" switch fooled me.
 
 > Furthermore, the FreeBSD OpenLDAP ports are split into a client
 > port and a server port and the USE_OPENLDAP macro triggers a
 > dependency on the client ports only, so there is no need to
 > worry about unneccesary daemons on your servers.
 
 Agreed, But from a security and usability perspective this is bad
 software design (nothing wrong with the port though).  I'll see if I
 can come up with a patch.
 
 Thanks for the port,
 Roger Marquis

From: Michael Nottebrock <lofi@freebsd.org>
To: Roger Marquis <marquis@roble.com>
Cc: bug-followup@freebsd.org
Subject: Re: ports/112659: security/dirmngr has no option to build without openldap
Date: Wed, 16 May 2007 20:37:55 +0200

 On Tuesday, 15. May 2007, Roger Marquis wrote:
 > > As you already noticed yourself, dirmngr *cannot* be built
 > > without OpenLDAP, hence there is no option.
 >
 > Thanks Michael. I should have looked into the configure options
 > instead of just the Makefile. That "USE_OPENLDAP=" switch fooled me.
 >
 > > Furthermore, the FreeBSD OpenLDAP ports are split into a client
 > > port and a server port and the USE_OPENLDAP macro triggers a
 > > dependency on the client ports only, so there is no need to
 > > worry about unneccesary daemons on your servers.
 >
 > Agreed, But from a security and usability perspective this is bad
 > software design (nothing wrong with the port though). 
 
 I tried to explain to you in my previous reply that there are no usability or 
 security issues here. 
 
 All you get is an ldap client library, which enables ports and binary packages 
 to be built ldap functionality - and allows users to use that functionality 
 should they ever add an ldap server to their network without having to 
 rebuild their present software, i.e. a usability bonus (unlike for instance 
 the gnupg port, which unfortunately has ldap support turned off by default 
 and thus turned off in the binary package as well).

From: Roger Marquis <marquis@roble.com>
To: Michael Nottebrock <lofi@freebsd.org>
Cc: bug-followup@freebsd.org
Subject: Re: ports/112659: security/dirmngr has no option to build without
 openldap
Date: Wed, 16 May 2007 12:03:37 -0700 (PDT)

 On Wed, 16 May 2007, Michael Nottebrock wrote:
 >> ..., But from a security and usability perspective this is bad
 >> software design (nothing wrong with the port though).
 > 
 > I tried to explain to you in my previous reply that there are no
 > usability or security issues here.
 
 There are security issues any time you add code, particularly
 unnecessary code, and ldap libraries add a lot of code.  As Bruce
 Schneier has outlined many times, software security is inversely
 related to the size of the code base.
 
 To make matters worse the openldap port itself has dependencies which
 require the installation of even more unnecessary code.  My company
 has been building secure servers since 1995 and poorly designed,
 dependency-riddled software, aka DLL-hell under Windows and RPM-hell
 under Linux, is the main reason we still do a lot of work with
 FreeBSD.  I sure hope your reply is not an indication that one of this
 BSD's fundamental architectural advantages is being deprecated or
 neglected.
 
 > All you get is an ldap client library, which enables ports and
 > binary packages to be built ldap functionality - and allows
 > users to use that functionality should they ever add an ldap
 > server to their network without having to rebuild their present
 > software
 
 You might want to check your facts.  We can't even build openldap on
 servers where the PORT_REPLACES_BASE_BIND.  This is a bug in the
 openldap port of course, but it's propagated by dirmngr and several
 other ports.
 
 Roger Marquis

From: Michael Nottebrock <lofi@freebsd.org>
To: Roger Marquis <marquis@roble.com>
Cc: bug-followup@freebsd.org
Subject: Re: ports/112659: security/dirmngr has no option to build without openldap
Date: Fri, 18 May 2007 09:10:27 +0200

 On Wednesday, 16. May 2007, Roger Marquis wrote:
 
 > To make matters worse the openldap port itself has dependencies which
 > require the installation of even more unnecessary code.
 
 Not true. It has (reasonable, from a usability perspective) additional 
 *default* dependencies, which can be turned off. An openldap-client 
 (or -server for that matter) WITHOUT_SASL, WITHOUT_BDB depends on nothing but 
 libtool.
 
 > My company 
 > has been building secure servers since 1995 and poorly designed,
 > dependency-riddled software, aka DLL-hell under Windows and RPM-hell
 > under Linux, is the main reason we still do a lot of work with
 > FreeBSD.  I sure hope your reply is not an indication that one of this
 > BSD's fundamental architectural advantages is being deprecated or
 > neglected.
 
 FreeBSD has been taking many steps to improve the usability of ports, i.e. 
 restructure ports and packages in a way that allows more universal 
 out-of-the-box usage, especially with binary packages. This may come as an 
 inconvenience to system integrators with special requirements (such as you), 
 but as with all matters security and usability, it is a trade-off. 
 
 In this particular case, I'm happy to make the trade-off as it is (as are the 
 developers of gnupg), and I'm confident making tis trade-off is in accordance 
 with the majority of today's system administrators/integrators' demands as 
 well.
 
 That all said - if you can get the gnupg developers to integrate 
 a --without-ldap configuration option into the upstream codebase, I'll be 
 happy to add an option to the port.
 
 > > All you get is an ldap client library, which enables ports and
 > > binary packages to be built ldap functionality - and allows
 > > users to use that functionality should they ever add an ldap
 > > server to their network without having to rebuild their present
 > > software
 >
 > You might want to check your facts.  We can't even build openldap on
 > servers where the PORT_REPLACES_BASE_BIND.  This is a bug in the
 > openldap port of course, but it's propagated by dirmngr and several
 > other ports.
 
 As you point out yourself, this is a bug elsewhere and thus hardly relevant to 
 this PR.
>Unformatted:
